Apple's New Law Enforcement Guidelines User-Protective Measures Or Cop Out?
Some readers and authors have reacted rather poorly to news that Apple can access user information even without knowing the passcode key. As my colleague, Rob Williams covered on Thursday, some people have read Apple's admission that it will give the Feds access to certain information from a locked iOS device as tantamount to a huge breach of user security and privacy. The company will only perform these information extractions under certain conditions, and it requires that the device be identified by serial number, IMEI, and that the cops ship the product to be data mined directly to Apple at Cupertino California, but that's still seen as a blow against user rights.
I understand why some people feel this way, but I think it's the wrong way to look at the situation. The fact is, companies have always had to balance between securing user rights and obeying lawful orders to disclose certain information. Long before the Internet existed, banks were required to turn over safe deposit boxes if police had a valid warrant to search them, even if the cops didn't have a key. The Fourth Amendment was written to protect people from what were known as general warrants, which did not require the authorities to name the specific items or persons to be seized / detained.
Apple has done several things of value with this move.
It Publicly Disclosed Its Own Policies: Maybe this shouldn't be a noteworthy item, but since 9/11 the government has pulled a veil of secrecy over all actions even tangentially related to security. It has a no-fly list you can wind up on through a clerical error, but you aren't allowed to see it, challenge it, or challenge your own presence on it without going to extraordinary lengths and fighting years of court battles. Even after Snowden, we don't know which type of events or circumstances trigger the NSA to start watching a particular person. Apple has come out and given data on exactly what it will and will not do for law enforcement, and under what conditions.
Its Policies Aren't A Rollover: Federal and state law enforcement officials have often argued that a subpoena should be sufficient to compel a company to unlock a device. Apple is pushing back on that requirement by requiring a valid warrant. It's pushing back doubly hard by requiring that device be shipped to headquarters in Cupertino or presented in person by an officer of the law.
If you think about it, there's no reason Apple couldn't have a manager at every Apple Store that's allowed to interact and handle police requests with approval from corporate. Requiring that devices go to HQ is another way to discourage the police from attempting to peer into every device they come across.
It Doesn't Compromise Its Own Services: When Microsoft bought Skype, there were rumors for years that the company had a method of spying on the supposedly secure conversations. If Snowden told the truth, MS does, in fact, have precisely this ability -- and used it in the past, despite what it continued to say about its own security. Similarly, Apple could have designed its iMessage and FaceTime services to be encrypted* where the * means "Unless we really want to read it." The company didn't do this, and states that it has no capability to see such data. Similarly, we're told that third-party services (some of which may offer encryption of their own) aren't available.
There are times when the ability to access information on a phone in an emergency could be vital to saving someone's life or required by law, and Apple has allowed for those events while simultaneously taking a "Let's not make it too easy" stance. The fact that the EFF and ACLU are both praising Apple's stand on these issues is important -- both groups have leveled sustained criticism at the NSA for its various policies and called for reform of the entire surveillance structure.